0

Threat Intelligence Quality

I'm looking over NextDNS as a way to protect non-VPN connected users from phishing attacks, but I'm disappointed that our latest phishing attack wasn't blocked, even with AI enabled.  

Now a few days later, it is still not blocked, but 9.9.9.9 is blocking it.

% nslookup fail.gouheawo.com.de 9.9.9.9
Server: 9.9.9.9
Address: 9.9.9.9#53

** server can't find fail.gouheawo.com.de: NXDOMAIN

 % nslookup fail.gouheawo.com.de 45.90.28.78
Server: 45.90.28.78
Address: 45.90.28.78#53

Non-authoritative answer:
Name: fail.gouheawo.com.de
Address: 172.64.80.1

Is this a fluke?  Is there a way to improve it?

4 replies

null
    • mgjk
    • 13 days ago
    • Reported - view
     % nslookup fail.gouheawo.com.de 45.90.28.78
Server: 45.90.28.78
Address: 45.90.28.78#53

Non-authoritative answer:
Name: fail.gouheawo.com.de
Address: 172.64.80.1

 % nslookup fail.gouheawo.com.de 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: fail.gouheawo.com.de
Address: 172.64.80.1

 ~ % nslookup fail.gouheawo.com.de 1.1.1.2
Server: 1.1.1.2
Address: 1.1.1.2#53

Non-authoritative answer:
Name: fail.gouheawo.com.de
Address: 0.0.0.0

    It looks like cloudflare 1.1.1.2 is also blocking now. I can see the detection on https://otx.alienvault.com/indicator/hostname/fail.gouheawo.com.de

    Can I report this to nextdns?  where are the sources from?

      • Lumineer
      • 5 days ago
      • Reported - view

       Looks like it's been Whitelisted.

      • mgjk
      • 5 days ago
      • Reported - view

       I'm new to NextDNS, who and why would it be whitelisted?  Since the incident I've contacted Cloudflare (who's coincidentally hosting the CDN for the malware) and another provider which was hosting another redirect component.  The sites have been down for a few days now.

      • mgjk
      • 5 days ago
      • Reported - view

      it looks like it is up again...

      If you're referring to OTX, they're tough to interpret.  The important part is that it shows on the top right which lists it is on, and in the history, some of the fake HTTP/S content which the site was generating.  The Passive DNS is also useful for alternate names.

      I'm assuming the whitelisting in OTX is for the IP range, as you can't block the IP, as you would be blocking Cloudflare.  Their site has always been a bit odd.

      Virustotal has also picked up the domain now.

Login to reply

Content aside

  • 5 days agoLast active
  • 4Replies
  • 127Views
  • 2 Following